A Step-by-Step Guide to Configure Hybrid Azure AD Join

Configuring Hybrid Azure AD Join can seem daunting, but it's actually a straightforward process.

To get started, you'll need to prepare your on-premises Active Directory. This involves creating a trust between your on-premises AD and Azure AD, which can be done using Azure AD Connect.

Next, you'll need to configure Azure AD Connect to synchronize your on-premises user accounts to Azure AD. This is done by setting up the directory synchronization feature.

With your on-premises AD prepared and Azure AD Connect configured, you can then enable Hybrid Azure AD Join for your users. This involves setting the Azure AD Join policy to allow hybrid join for your users.

To configure hybrid Azure AD join, you'll need to ensure you're running the latest version of Azure AD Connect, which is version 1.1.819.0 or later. This is a crucial step to take before proceeding.

You'll also need to have Hybrid Identity Administrator credentials for your Microsoft Entra tenant. This will give you the necessary access to configure Azure AD Connect.

To complete the setup, you'll need to have enterprise administrator credentials for each of the on-premises Active Directory Domain Services forests. This will allow you to manage the association between computer accounts in your on-premises Active Directory and device objects in Azure AD.

You'll also need to ensure that at least Windows Server 2012 R2 with Active Directory Federation Services is installed for federated domains. This will enable the necessary functionality for hybrid Azure AD join.

Users must be able to register their devices with Microsoft Entra ID. You can find more information about this setting under the heading Configure device settings.

Here are the specific requirements for Azure AD Connect:

You'll also need to be aware of the supported scenarios and constraints for hybrid Azure AD join. Specifically, you should understand the difference between Windows current devices and Windows down-level devices.

Here's a list of Windows down-level devices:

Additionally, you'll need to ensure that the necessary URLs are allowed in your network for Azure AD Connect to function correctly. These URLs include:

To configure hybrid Azure AD join, you'll need to create a service connection point (SCP) in Azure. This is done by opening Azure AD Connect and clicking on Configure.

You'll then select the types of devices you intend to onboard, such as Windows 10 or later domain-joined devices. Click Next to continue.

Next, you'll create the SCP in Azure to allow your devices to read Azure AD tenant information. Check your forest name under Forest and choose Azure Active Directory as the Authentication Service.

To do this, you'll need to provide credentials for your on-prem enterprise admin account. This will allow Azure AD Connect to configure the SCP correctly.

Once you've completed these steps, you'll be told to configure some additional steps. Click Exit when complete.

Here's an overview of the steps required for hybrid Azure AD join:

To avoid certificate prompts when users register devices, you can push a policy to your domain-joined devices to add the following URL to the Local Intranet zone in Internet Explorer: https://device.login.microsoftonline.com.

Managed domains are the most common deployment for Microsoft Entra hybrid join, using password hash sync (PHS) or pass-through authentication (PTA) with seamless single sign-on.

In a managed domain scenario, you don't need to configure a federation server. However, for federated environments, you'll need to ensure your identity provider supports specific requirements.

To configure Microsoft Entra hybrid join for a federated environment, you'll need to enable the WIAORMULTIAUTHN claim and WS-Trust protocol. Additionally, you'll need to disable WS-Trust Windows endpoints on the Web Application Proxy and ensure they're only exposed as intranet facing endpoints.

Here are the specific requirements for a federated environment using Active Directory Federation Services (AD FS:

To get a list of your verified company domains in Azure AD, you can use the Get-MsolDomain cmdlet.

In a federated environment, it's essential to have an identity provider that supports specific requirements. These requirements include the WIAORMULTIAUTHN claim, which is necessary for Microsoft Entra hybrid join on Windows down-level devices.

To enable the WS-Trust protocol, you need to enable the adfs/services/trust/2005/windowstransport and adfs/services/trust/13/windowstransport endpoints as intranet-facing endpoints only. This is crucial to prevent exposure through the Web Application Proxy.

In a federated environment using Active Directory Federation Services (AD FS), the WS-Trust endpoints are already supported. However, you need to ensure they are enabled correctly to avoid any issues.

To configure Microsoft Entra hybrid join in a federated environment, you'll need to use Microsoft Entra Connect. This involves several steps, including configuring device options and federation settings.

Here are the steps to configure Microsoft Entra hybrid join using Microsoft Entra Connect:

Managed domains are the way to go for most organizations deploying Microsoft Entra hybrid join. They use password hash sync (PHS) or pass-through authentication (PTA) for seamless single sign-on, and don't require configuring a federation server.

Managed domains are a great option because they're easy to set up. Here's a step-by-step guide to configure Microsoft Entra hybrid join for a managed domain:

With managed domains, you can have multiple forests, and for each one, you'll need to configure the SCP.

To set up issuance of claims, you need to ensure that your on-premises federation service, such as Active Directory Federation Services (AD FS), is configured to issue the necessary claims to Azure Active Directory (Azure AD). This includes the account type claim, which must contain a value of DJ to identify the device as a domain-joined computer.

The account type claim is crucial for device registration in Azure AD. It helps Azure AD understand that the device is a domain-joined computer. To issue this claim, you can add an issuance transform rule in AD FS that looks like this: http://schemas.microsoft.com/ws/2012/01/accounttype => issue(claim = "DJ");.

You also need to issue the issuer ID claim, which must contain the Uniform Resource Identifier (URI) of any of the verified domain names that connect with the on-premises federation service. This claim is essential for computers. The issuer ID claim definition in AD FS looks like this: c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);.

To make things easier, you can use a helper script to create the AD FS issuance transform rules. This script will help you create the rules described above.

Here's a list of the necessary claims for device registration in Azure AD:

To configure hybrid Azure AD join, you need to understand how devices are joined and managed. A Hybrid Azure AD joined device is a device that's joined with an on-premises Active Directory domain and registered with Azure Active Directory.

To find the SCP object for auto-registration of domain-joined devices, you can use ADSI Edit from Windows Administrative Tools. The SCP object is located at the OU that stores your computers.

You can check if a device is successfully joined by looking at the Devices blade in your Azure AD tenant. If the JOIN TYPE is Hybrid Azure AD Joined and REGISTERED has a recent timestamp, the device is properly configured.

Creating a Microsoft Entra Autopilot profile is a straightforward process that allows you to specify how a device is configured during Windows Setup and what is shown during the out-of-box experience (OOBE).

To create a user-driven Microsoft Entra hybrid join Autopilot profile, follow these steps:

1. In the Out-of-box experience (OOBE) page, select the settings to minimize user interaction during device setup. However, some options that are set as hidden can instead be shown as desired.

The user-driven Microsoft Entra join scenario only joins Microsoft Entra ID during Autopilot, whereas a Microsoft Entra hybrid join scenario joins both an on-premises domain and Microsoft Entra ID during Autopilot.

To create a user-driven Microsoft Entra hybrid join Autopilot profile, you need to select the settings on the Out-of-box experience (OOBE) page.

Note that the Autopilot profile is similar to some of the configuration that takes place during a task sequence via an unattend.xml file, but Autopilot doesn't use unattend.xml files.

A Hybrid Azure AD joined device is a device that's joined with an on-premises Active Directory domain and registered with Azure Active Directory.

To confirm if a Windows 10 device is registered, reboot it and check the Device State under dsregcmd /status. If it says AzureADJoined: YES, you're good to go.

The computer object in Active Directory needs to be synced to Azure AD for the device to show as Azure AD-joined. You can try forcing a registration by running dsregcmd /join.

To check the Azure side, navigate to the Devices blade in your Azure AD tenant. Here you should see the JOIN TYPE is Hybrid Azure AD Joined and REGISTERED has a recent timestamp for the Windows 10 device.

Devices show up as ‘Registered’ and ‘Hybrid Azure AD joined’ in Azure AD, but AAD Conditional Access rules might not function correctly with the ‘Registered’ entries. To fix this, upgrade all devices to Windows 10 1903.

If a user is logged onto the joined client, they'll need to log off and on to get a primary refresh token.

To avoid certificate prompts when users register devices to authenticate to Azure AD, you can push a policy to your domain-joined devices to add the following URL to the Local Intranet zone in Internet Explorer: https://device.login.microsoftonline.com.

This URL needs to be added to the Local Intranet zone to ensure seamless authentication.

By adding the Azure AD device authentication end-point to the Local Intranet zones, you can simplify the authentication process for your users.